Management UI logs out basic auth users on page load when both oauth and basic auth are enabled

[laurensOost]

Describe the bug

RabbitMQ version
4.2.2
Management plugin enabled

Relevant documentation: https://www.rabbitmq.com/docs/management#allow-basic-auth-for-mgt-ui

OAuth provider: Keycloak
Basic Auth: administrator user

Description
When OAuth2 is enabled in the management UI, logging in with Basic Auth does not persist. On page reload or navigation, the session is cleared if there is no active OIDC session, loggin the basic auth user out.

OIDC auth check does not seem to check if a basic auth user is logged in, returns only state of oauth user. So when a new page is loaded, the credentials, auth-scheme keys and "m" cookie will be cleared forcing a logout.

Testing the callstack it appears (!status.loggedIn) called clear_auth() in prefs.js

->

rabbitmq-server/deps/rabbitmq_management/priv/www/js/prefs.js

Line 37 in 2a9ba19

function clear_auth() {

If the idp or OIDC client does not confirm an active session (status.loggedIn is false), the condition is met while the user is logged in using basic auth.

The issue happens only when logging in with basic auth combined with oauth enabled, no issues with oidc. Seems with basic auth it looks for a active session from the idp even when there is none.

Relevant code:

function clear_auth() {
    clear_local_pref(CREDENTIALS)
    clear_local_pref(AUTH_SCHEME)
    clear_cookie_value(LOGIN_SESSION_TIMEOUT)
    clear_cookie_value(LOGGED_IN)
    clear_local_pref(AUTH_RESOURCE)
}

->

rabbitmq-server/deps/rabbitmq_management/priv/www/js/prefs.js

Line 37 in 2a9ba19

function clear_auth() {

if (!status.loggedIn) {
  clear_auth();
}

->

rabbitmq-server/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

Line 124 in 2a9ba19

if (!status.loggedIn) {

Relevant config:

management.oauth_enabled = true
management.oauth_disable_basic_auth = false

Reproduction steps

1. Enable OAuth2 in management plugin: management.oauth_enabled = true
2. Allow basic auth alongside OAuth2: management.oauth_disable_basic_auth = false
3. Open management UI and login using basic auth
4. Refresh or navigate to another page / open new tabs
   ...

Expected behavior

Current behaviour:

• On page load, UI checks OIDC session state
• If no OIDC session exists:
  -> Basic Auth credentials are cleared
  -> User is logged out

Expected:

• Basic Auth session remains active
• No dependency on OIDC session state when using Basic Auth

Additional context

No response

[michaelklishin]

Thanks for the details but OAuth 2 was largely designed with the idea that it would be used exclusively due to the extensive changes it requires in the management UI.

Knowing what function is relevant does not change any of that.

This is very different from, say, LDAP or a custom HTTP-based services which require no management UI changes.

[laurensOost]

Thank you for the quick response, this clears things up. The documentation on this is a bit misleading then, since it explicitly mentions the ability to combine both OAuth 2 and basic auth: https://www.rabbitmq.com/docs/management#allow-basic-auth-for-mgt-ui

For our use case this would be ideal, having the ability to fallback on basic auth in the case our idp provider would be unavailable during an incident. What is the suggested fallback in such a scenario? For a HA cluster, having to restart the broker to rollback to basic auth only in such an incident is not ideal.

[michaelklishin]

We will edit the docs.

Not supporting this combination is not an explicit goal, it just a practical reality we have ended up in a few years after introducing OAuth 2 support.

@laurensOost note that RabbitMQ is a rare tool to support multiple IDPs, so you can set up a backup IDP, e.g. Keycloak in addition to Entra just to give an example. That feature was originally added for IDP migrations but I can see it being useful for redundancy.

@MarcialRosales would you agree with the above idea?

[MarcialRosales]

Hi, It is a legitimate issue which I am fixing here #15793. There is no need to change the docs. It should be possible to login via oauth 2.0 and/or Basic auth. And in fact, @laurensOost is able to login. It is just an issue introduced after we allowed both mechanisms. As @michaelklishin said, in the past it was exclusively OAuth 2.0 mechanism. But now that both mechanisms are allowed, there is a code path which was not properly updated.